Grist Core
CVE-2024-56357
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the javascript: scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust.
AnalysisAI
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the javascript: scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust. Affected products include: Getgrist Grist-Core. Version information: version 1.3.1..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Grist Core
View allGrist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to
Stored and reflected cross-site scripting in Grist (grist-core) before 1.7.15 lets an attacker place a javascript: URL i
Stored and reflected cross-site scripting in Grist (grist-core) prior to 1.7.15 lets a document editor inject script int
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
Unauthorized schema disclosure in Grist Core prior to 1.7.15 allows any user with partial read access - explicitly inclu
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today